100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
Previously searched by you
Previously searched by you
logo
SANS GCIH (SEC504) QUESTIONS WITH SOLUTIONS $18.49   Add to cart
Quickly navigate to
Preview
  2.  
  3. SANS
  4.  
  5. SANS

Exam (elaborations)

SANS GCIH (SEC504) QUESTIONS WITH SOLUTIONS
 4 views  0 purchase
  • Course
  • SANS
  • Institution
  • SANS

Exam of 24 pages for the course SANS at SANS (SANS GCIH (SEC504))

Preview 3 out of 24  pages

Document information

  • August 3, 2024
  • 24
  • 2024/2025
  • Exam (elaborations)
  • Questions & answers

Subjects

Written for

  • SANS
  • SANS

Seller

avatar-seller
julianah420

Reviews received

Content preview

SANS GCIH (SEC504)

Who should make the decision of when to put a system back into production?

A) Systems administrators
B) Business team
C) Security team
D) Data owner - answerB) Business team

Which command will display ASCII and Unicode strings within a malware sample?

A) cat
B) Get-Strings
C) strings
D) findstr - answerC) strings

Which type of system is most commonly used to investigate malware?

A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system - answerA) Virtual machine

If you believe your system has been the victim of a rootkit attack, what is the most cost-
effective form of eradication?

A) Restore the OS from the most recent backup.
B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
D) Install applications from a different vendor. - answerB) Reformat, reinstall, and patch
the system from the original media.

What tool is used to record the state of the registry before and after malware is
executed on an analysis system?

A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper - answerA) Regshot

What method could be used to ensure that an asset under investigation is not put back
into production without approval before the investigation is complete?

,A) Move the asset to a different cloud data center.
B) Terminate the asset.
C) Shut off all administrative access to the cloud environment so no admins can make
changes.
D) Add an "under investigation" tag to the asset. - answerD) Add an "under
investigation" tag to the asset.

During the remediation phase of incident response, you remove a file from your infected
web server. What is the most important additional thing to do to prevent being
compromised again?

A) Determine the root cause of the attack.
B) Review your host-based firewall rules.
C) Restore the host data from backups.
D) Apply patches and harden the system. - answerA) Determine the root cause of the
attack.

Why is performing memory analysis on RAM images a staple of investigations?

A) Valuable information may exist in RAM, which might not be found on disk.
B) Speed - Evidence from a RAM image will match disk content.
C) RAM provides more consistent images than disk.
D) It's easier to look for historical information in RAM than on disk. - answerA) Valuable
information may exist in RAM, which might not be found on disk.

An investigator identifies the following POST request. Which log recorded the activity?

1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153
text/xml

A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log - answerC) Proxy access log

What are two basic approaches commonly employed when investigating malware?

A) Running a penetration test and running a vulnerability scan.
B) Monitoring the environment and examining code.
C) Taking the environment offline and restoring from backups.
D) Performing a risk assessment and confirming a possible exploit type. - answerB)
Monitoring the environment and examining code.

What step should always be taken first during an incident?

, A) Identifying which systems are unpatched.
B) Verifying whether an incident occurred.
C) Determining which threat intelligence feeds to query.
D) Choosing which systems to rebuild. - answerB) Verifying whether an incident
occurred.

In what way is logging API access to a cloud environment a major incident response
benefit?

A) It helps to provide detailed insight into network activity for analysis.
B) It helps to understand the scope of the breach and the actions taken by an attacker.
C) It provides verification of breached data access.
D) It provides full packet capture visibility. - answerB) It helps to understand the scope
of the breach and the actions taken by an attacker.

API access logs include all programmatic access to cloud services, identity and key
use, and a record of attacker tactics used to exploit the cloud. These are the most
useful data for understanding the scope of a breach and the actions taken by the
attacker.

In a packet capture, an analyst observes that a system sent a frequent, small, outbound
communication to a known bad IP, over a seven-day period. What type of behavior is
possibly occurring?

A) Ack scan
B) Fragmentation
C) Beaconing
D) Traceroute - answerC) Beaconing

What are the phases of incident handling, in order, in the classic six-step incident
response process?

A) Preparation, identification, containment, eradication, recovery, and lessons learned.
B) Preparation, identification, containment, eradication, recovery, and prosecution.
C) Preparation, containment, eradication, recovery, retaliation, and lessons learned.
D) Preparation, identification, recovery, encapsulation, eradication, and lessons learned.
- answerA) Preparation, identification, containment, eradication, recovery, and lessons
learned.

Which Sysinternals tool can be used to collect detailed log event information for security
information and event monitoring and analysis?

A) Process Monitor
B) Autoruns
C) Procdump

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller julianah420. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $18.49. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

76667 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$18.49
  • (0)
  Add to cart